Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection confrmed Win32:SMSSend-IG


  • This topic is locked This topic is locked
22 replies to this topic

#1 4on4off

4on4off

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 21 June 2012 - 08:24 PM

For some time I have been having issues installing a few updates that repeatedly show back up as ready to install. While they say they installed successfully I can not find them in view installed updates. Other updates would appear and install but not repeat, just the 5.

Also, and ie9 update would show up as well even though I am running ie9 on this pc and that one would always fail with an error code 9c48 or an error message saying I currently have a more current version of ie9 on my pc.

Also, recently discovered that while I can access the command prompt thru the run box I can not find it in accessories or system32 folder in order to right click and run as admin.


After bouncing around a bit between forums I ended up here after finding the trojan listed in the topic.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Scott at 17:40:27 on 2012-06-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1786 [GMT -7:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {504FFF66-3028-EB7E-2E60-62B19ADD791C}
SP: BullGuard Antispyware *Enabled/Updated* {EB2E1E82-1612-E4F0-14D0-59C3E15A33A1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: BullGuard Firewall *Enabled* {68747E43-7A47-EA26-053F-CB84640E3E67}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\SvcHost.exe -k BullGuard_Main
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\SvcHost.exe -k BullGuard_Backup
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
C:\Windows\System32\SvcHost.exe -k BullGuard
C:\Windows\System32\SvcHost.exe -k BullGuard_Proxy
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxecserv.exe
C:\Windows\system32\lxeccoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskeng.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\WmiPrvSE.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1338582609656
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0D74FD70-FD74-44A7-A493-F29CB85D39D7} : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: BgGamingMonitor.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 afw;Agnitum Firewall Driver;c:\windows\system32\drivers\Afw.sys [2009-3-23 33880]
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2010-3-12 61152]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2011-2-9 216136]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2011-2-9 20040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 BsBackup;BullGuard backup service;c:\windows\system32\SvcHost.exe -k BullGuard_Backup [2008-9-26 21504]
R2 BsBhvScan;BullGuard behavioural detection service;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2011-2-9 321376]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-9-26 21504]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-9-26 21504]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard_Proxy [2008-9-26 21504]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2008-9-26 21504]
R2 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2010-3-3 178016]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2012-6-18 304480]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-26 21504]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2010-10-26 193192]
R3 afwcore;afwcore;c:\windows\system32\drivers\AfwCore.sys [2009-3-23 338520]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2009-5-6 413208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2008-9-25 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-25 79360]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-26 16896]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-06-21 16:31:22 -------- d-----w- c:\program files\ESET
2012-06-20 04:09:48 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4f15bf5b-e6c0-430f-a3d3-cbaf38b58b39}\mpengine.dll
2012-06-19 03:26:31 -------- d-----w- c:\users\scott\SecurityScans
2012-06-19 03:26:20 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-06-05 00:02:18 -------- d-----w- c:\users\scott\appdata\roaming\SUPERAntiSpyware.com
2012-06-05 00:00:55 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-05 00:00:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-03 13:44:41 303616 ----a-w- C:\SetACL.exe
2012-06-03 13:09:49 290304 ----a-w- C:\subinacl.exe
2012-06-03 13:04:40 -------- d-----w- C:\Reg_Backup
2012-06-03 13:02:52 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2012-06-03 13:02:43 -------- d-----w- c:\program files\Tweaking.com
2012-06-01 14:31:41 -------- d-----w- c:\users\scott\appdata\local\ElevatedDiagnostics
2012-06-01 01:08:00 -------- d-----w- c:\program files\Oracle
2012-06-01 01:07:39 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-01 00:47:44 -------- d-----w- c:\program files\VS Revo Group
2012-06-01 00:20:24 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2012-06-17 19:22:53 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-17 19:22:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-01 16:36:48 140376 ----a-w- c:\windows\system32\MicrosoftUpdateCatalogWebControl.dll
2012-04-21 21:24:25 53088 ----a-w- c:\windows\system32\BGLsp.dll
2012-04-21 21:12:59 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2012-04-21 21:12:59 249856 ----a-w- c:\windows\system32\pdfmona.dll
2012-04-06 19:05:43 33880 ----a-r- c:\windows\system32\drivers\Afw.sys
2012-04-06 19:05:43 20040 ----a-w- c:\windows\system32\drivers\NSNetmon.sys
2012-04-06 19:05:41 100216 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2012-04-06 19:05:39 338520 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2012-04-06 19:05:38 216136 ----a-w- c:\windows\system32\drivers\NSKernel.sys
2012-04-06 19:05:36 308296 ----a-w- c:\windows\system32\drivers\Trufos.sys
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 17:41:12.61 ===============

Running behind getting to work, I hope I didn't forget anything,,, I will be back after 7 in the morning.

Thanks for your assistance.

4

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:27 AM

Posted 26 June 2012 - 08:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/457872 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 26 June 2012 - 10:33 PM

1.If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.

Some time ago I realized that some windows updates were repeatedly showing back up as ready to install even though they said that they installed correctly. I could not see them in view installed updates tho. After searching and trying fix it tools I was unable to resolve this issue. I then posted here at BC. I was asked to run some malware scans and post the logs and because of that I started a new topic in AII:

http://www.bleepingcomputer.com/forums/topic455955.html/page__p__2721005__fromsearch__1#entry2721005

During a scan using aswMBR a trojan was detected: Win32:SMSSend-IG

I then started this thread.

2.A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
•Please do this even if you have previously posted logs for us.


Here is the new DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Scott at 19:54:09 on 2012-06-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2367 [GMT -7:00]
.
AV: BullGuard Antivirus *Disabled/Outdated* {504FFF66-3028-EB7E-2E60-62B19ADD791C}
SP: BullGuard Antispyware *Disabled/Outdated* {EB2E1E82-1612-E4F0-14D0-59C3E15A33A1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: BullGuard Firewall *Enabled* {68747E43-7A47-EA26-053F-CB84640E3E67}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\SvcHost.exe -k BullGuard_Main
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\SvcHost.exe -k BullGuard_Backup
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
C:\Windows\System32\SvcHost.exe -k BullGuard
C:\Windows\System32\SvcHost.exe -k BullGuard_Proxy
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxecserv.exe
C:\Windows\system32\lxeccoms.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\wbem\WmiPrvSE.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1338582609656
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0D74FD70-FD74-44A7-A493-F29CB85D39D7} : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: BgGamingMonitor.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 afw;Agnitum Firewall Driver;c:\windows\system32\drivers\Afw.sys [2009-3-23 33920]
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2010-3-12 61152]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2011-2-9 216136]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2011-2-9 20040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 BsBackup;BullGuard backup service;c:\windows\system32\SvcHost.exe -k BullGuard_Backup [2008-9-26 21504]
R2 BsBhvScan;BullGuard behavioural detection service;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2011-2-9 321376]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-9-26 21504]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-9-26 21504]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard_Proxy [2008-9-26 21504]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2008-9-26 21504]
R2 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2010-3-3 178016]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2012-6-22 304480]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-26 21504]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2010-10-26 193192]
R3 afwcore;afwcore;c:\windows\system32\drivers\AfwCore.sys [2009-3-23 339584]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2009-5-6 413208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2008-9-25 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-25 79360]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-26 16896]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-06-21 16:31:22 -------- d-----w- c:\program files\ESET
2012-06-20 04:09:48 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4f15bf5b-e6c0-430f-a3d3-cbaf38b58b39}\mpengine.dll
2012-06-19 03:26:31 -------- d-----w- c:\users\scott\SecurityScans
2012-06-19 03:26:20 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-06-05 00:02:18 -------- d-----w- c:\users\scott\appdata\roaming\SUPERAntiSpyware.com
2012-06-05 00:00:55 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-05 00:00:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-03 13:44:41 303616 ----a-w- C:\SetACL.exe
2012-06-03 13:09:49 290304 ----a-w- C:\subinacl.exe
2012-06-03 13:04:40 -------- d-----w- C:\Reg_Backup
2012-06-03 13:02:52 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2012-06-03 13:02:43 -------- d-----w- c:\program files\Tweaking.com
2012-06-01 14:31:41 -------- d-----w- c:\users\scott\appdata\local\ElevatedDiagnostics
2012-06-01 01:08:00 -------- d-----w- c:\program files\Oracle
2012-06-01 01:07:39 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-01 00:47:44 -------- d-----w- c:\program files\VS Revo Group
2012-06-01 00:20:24 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2012-06-22 14:33:35 33920 ----a-r- c:\windows\system32\drivers\Afw.sys
2012-06-22 14:33:32 339584 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2012-06-17 19:22:53 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-17 19:22:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-01 16:36:48 140376 ----a-w- c:\windows\system32\MicrosoftUpdateCatalogWebControl.dll
2012-04-21 21:24:25 53088 ----a-w- c:\windows\system32\BGLsp.dll
2012-04-21 21:12:59 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2012-04-21 21:12:59 249856 ----a-w- c:\windows\system32\pdfmona.dll
2012-04-06 19:05:43 20040 ----a-w- c:\windows\system32\drivers\NSNetmon.sys
2012-04-06 19:05:41 100216 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2012-04-06 19:05:38 216136 ----a-w- c:\windows\system32\drivers\NSKernel.sys
2012-04-06 19:05:36 308296 ----a-w- c:\windows\system32\drivers\Trufos.sys
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 19:54:48.68 ===============

3.Please tell us if you have your original Windows CD/DVD available.

No, I do not.

4.Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,233 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:27 AM

Posted 28 June 2012 - 09:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===


Please navigate to this Microsoft page and run the Automatic fix.

http://support.microsoft.com/kb/906602

There are other suggestions that you may want to investigate.
===

The extra.txt file report an error with IE 9. You may be wise to uninstall it.
http://windows.microsoft.com/en-US/windows7/how-do-i-install-or-uninstall-internet-explorer-9
===

Also, recently discovered that while I can access the command prompt thru the run box I can not find it in accessories or system32 folder in order to right click and run as admin.

The file could be hidden.
Check this out.
http://www.tech-recipes.com/rx/1521/how_to_view_hidden_and_system_files_and_folders_in_vista
===

Your DDS log is clean.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Let me know what problem persists.

#5 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 28 June 2012 - 10:00 AM

Greetings nasdaq, it is a pleasure to make your acquaintance.

Please navigate to this Microsoft page and run the Automatic fix.

http://support.microsoft.com/kb/906602

There are other suggestions that you may want to investigate.


The fix it tool did not work. I have used that one before and I have scoured that page without any positive results prior to posting here. I did run it again though to no avail.

The extra.txt file report an error with IE 9. You may be wise to uninstall it.
http://windows.microsoft.com/en-US/windows7/how-do-i-install-or-uninstall-internet-explorer-9


I have tried uninstalling IE9 both the conventional way and using cmd to no avail. I do not see ie9 in the "veiw installed updates".

I have been told that if it will not uninstall then I must not have ie8 installed on my pc. Not sure if I uninstalled it after installing ie9, don't know why I would have done that tho.


I followed your steps for veiwing hidden files and I do see cmd in system32. I then hid everything once again and went back and looked and it is still there in system32. I guess I overlooked it before. Odd that it is in system32 but not accessories, for me anyway.

Your DDS log is clean.


That is good to hear.

Here is the security check results:


Results of screen317's Security Check version 0.99.42
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
BullGuard Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
JavaFX 2.1.0
Java™ 7 Update 4
Java version out of Date!
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

Let me know what problem persists.


The problems that persist are that the same 5 updates say they install correctly but do not show up in view installed updates and return as ready to install. Also, I get the 9C48 error on the ie9 update. Other updates for windows defender install and do not return.

Thank you for your assistance.

4

Edited by 4on4off, 28 June 2012 - 12:02 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,233 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:27 AM

Posted 28 June 2012 - 12:36 PM

Try this one.
Windows Update or Microsoft Update repeatedly offers the same update
http://support.microsoft.com/kb/910339
===

Success or not please run this tool.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

#7 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 28 June 2012 - 01:17 PM

Nasdaq,

I tried the fix it tool and it did not work.

As instructed I downloaded combofix and ran it.

Here is the log:

ComboFix 12-06-28.01 - Scott 06/28/2012 11:12:35.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1637 [GMT -7:00]
Running from: c:\users\Scott\Desktop\ComboFix.exe
AV: BullGuard Antivirus *Disabled/Outdated* {504FFF66-3028-EB7E-2E60-62B19ADD791C}
FW: BullGuard Firewall *Enabled* {68747E43-7A47-EA26-053F-CB84640E3E67}
SP: BullGuard Antispyware *Disabled/Outdated* {EB2E1E82-1612-E4F0-14D0-59C3E15A33A1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SPLB38C.tmp
c:\users\Scott\AppData\Local\._Revolution_
c:\windows\Downloaded Program Files\popcaploader.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
.
.
2012-06-28 18:20 . 2012-06-28 18:21 -------- d-----w- c:\users\Scott\AppData\Local\temp
2012-06-28 18:20 . 2012-06-28 18:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-28 14:48 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A5A548BB-0603-4F10-A7D8-8B39CB8C5E06}\mpengine.dll
2012-06-21 16:31 . 2012-06-21 16:31 -------- d-----w- c:\program files\ESET
2012-06-19 03:26 . 2012-06-19 03:31 -------- d-----w- c:\users\Scott\SecurityScans
2012-06-19 03:26 . 2012-06-19 03:26 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-06-05 00:02 . 2012-06-05 00:02 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2012-06-05 00:00 . 2012-06-05 00:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-05 00:00 . 2012-06-05 00:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-03 13:44 . 2008-05-08 05:03 303616 ----a-w- C:\SetACL.exe
2012-06-03 13:09 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe
2012-06-03 13:04 . 2012-06-04 03:21 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-06-03 13:04 . 2012-06-04 03:02 -------- d-----w- C:\Reg_Backup
2012-06-03 13:02 . 2012-06-04 03:21 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2012-06-03 13:02 . 2012-06-03 13:02 -------- d-----w- c:\program files\Tweaking.com
2012-06-01 14:31 . 2012-06-01 14:31 -------- d-----w- c:\users\Scott\AppData\Local\ElevatedDiagnostics
2012-06-01 01:08 . 2012-06-01 01:08 -------- d-----w- c:\program files\Oracle
2012-06-01 01:07 . 2012-04-05 01:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-01 00:47 . 2012-06-01 00:47 -------- d-----w- c:\program files\VS Revo Group
2012-06-01 00:20 . 2012-06-01 00:20 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-22 14:33 . 2009-03-23 12:07 33920 ----a-r- c:\windows\system32\drivers\Afw.sys
2012-06-22 14:33 . 2009-03-23 12:07 339584 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2012-06-17 19:22 . 2012-04-06 22:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-17 19:22 . 2011-05-19 18:43 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 16:36 . 2012-05-01 16:36 140376 ----a-w- c:\windows\system32\MicrosoftUpdateCatalogWebControl.dll
2012-04-21 21:24 . 2010-04-19 12:16 53088 ----a-w- c:\windows\system32\BGLsp.dll
2012-04-21 21:12 . 2012-04-21 21:12 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2012-04-21 21:12 . 2012-04-21 21:12 249856 ----a-w- c:\windows\system32\pdfmona.dll
2012-04-06 19:05 . 2011-02-09 17:49 20040 ----a-w- c:\windows\system32\drivers\NSNetmon.sys
2012-04-06 19:05 . 2010-03-18 16:03 100216 ----a-w- c:\windows\system32\BgGamingMonitor.dll
2012-04-06 19:05 . 2011-02-09 17:49 216136 ----a-w- c:\windows\system32\drivers\NSKernel.sys
2012-04-06 19:05 . 2012-04-06 19:05 308296 ----a-w- c:\windows\system32\drivers\Trufos.sys
2012-04-04 22:56 . 2009-02-13 23:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"SPIRunE"="SPIRunE.dll" [2009-03-05 18432]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-27 13789728]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2012-06-19 1756000]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2011-01-24 148280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-10-09 44168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\BgGamingMonitor.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-04-04 05:53 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 15:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 05:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-06-03 01:50 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 02:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark Pro800-Pro900 Series Fax Server]
2011-01-24 03:47 316072 ----a-w- c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-04-04 22:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 17:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 22:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 09:56 54936 ----a-w- c:\windows\System32\jureg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 18:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
BullGuard_Main REG_MULTI_SZ BsMain
BullGuard REG_MULTI_SZ BsFileScan BsFire
BullGuard_LowPriv REG_MULTI_SZ BsBrowser
BullGuard_Backup REG_MULTI_SZ BsBackup
BullGuard_Proxy REG_MULTI_SZ BsMailProxy
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-23C3F5C0 - c:\users\scott\appdata\local\micros~1\windows\tempor~1\content.ie5\kosqekin\speedu~1.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-28 11:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\Scott\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Completion time: 2012-06-28 11:25:15
ComboFix-quarantined-files.txt 2012-06-28 18:25
.
Pre-Run: 605,604,438,016 bytes free
Post-Run: 605,629,030,400 bytes free
.
- - End Of File - - 1453FF0287CC73E47330FFA3592FDC43


Thank you again for your assistance.

4

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,233 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:27 AM

Posted 29 June 2012 - 07:13 AM

Run the SFC.exe

How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833
===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Keep me posted.

#9 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 29 June 2012 - 09:25 AM

Just a heads up.

Just got home from work and running the sfc.exe now. will run farbar afterwards and post log when its done.

4

#10 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 29 June 2012 - 10:07 AM

Nasdaq,

I ran the sfc.exe and it didn't run very long but it stated that the following:

Windows Resource Protection did not find any integrity violations.

Here is the Farbar log:

Farbar Service Scanner Version: 25-06-2012 01
Ran by Scott (administrator) on 29-06-2012 at 08:13:19
Running from "C:\Users\Scott\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************



Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Not sure if I mentioned before that when I check for the updates in "view installed updatese" there is no section for Microsoft windows updates where I am told ie9 should be. In case it matters.

4

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,233 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:27 AM

Posted 30 June 2012 - 07:08 AM

Looks like this article could solve your IE 9 problem.
http://superuser.com/questions/410916/why-is-windows-update-trying-to-install-an-update-i-dont-need

Read the article completely.

Follow the instructions under this heading

OK, I think I may have found a solution and I'm posting it here before I've had a chance to test it.

from the article.

Run KB971058 Fix-it. (not the one that pops-up, but the one in the actual page)

What is implied here is that you do the fix it myself and not the automatic fix.

#12 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 30 June 2012 - 10:20 AM

Nasdaq,

Thank you for digging this up, I had not come across this fix before.

Looking over the fix it myself option, I see there are several command prompt steps to take. I just got done with a 12 hour night shift and I am going to wait until I get up this afternoon to be sure to have my wits about me before attempting the fix.

Also, do you feel I am clear of the trojan found by aswMBR? Just asking because I wasn't sure if the malware end was done if I should move this to a different forum.

Thanks again and I will post after the steps are completeted this afternoon.

4

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,233 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:27 AM

Posted 30 June 2012 - 01:01 PM

This is a better tool to check your MBR.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

#14 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:27 AM

Posted 30 June 2012 - 05:32 PM

Nasdaq,

Just got up and ran the aswMBR.exe. I see it found the same trojan.

I ran the quick scan, here is the log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-30 15:23:19
-----------------------------
15:23:19.431 OS Version: Windows 6.0.6002 Service Pack 2
15:23:19.431 Number of processors: 4 586 0xF0B
15:23:19.431 ComputerName: JILL-PC UserName: Scott
15:23:21.194 Initialize success
15:23:29.587 AVAST engine defs: 12063001
15:23:34.220 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:23:34.220 Disk 0 Vendor: ST375064 3.CH Size: 715404MB BusType: 8
15:23:34.251 Disk 0 MBR read successfully
15:23:34.251 Disk 0 MBR scan
15:23:34.298 Disk 0 unknown MBR code
15:23:34.298 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 707314 MB offset 63
15:23:34.313 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8087 MB offset 1448581050
15:23:34.345 Disk 0 scanning sectors +1465144065
15:23:34.454 Disk 0 scanning C:\Windows\system32\drivers
15:23:49.243 Service scanning
15:24:05.311 Modules scanning
15:24:09.148 Disk 0 trace - called modules:
15:24:09.164 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
15:24:09.663 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8634fac8]
15:24:09.663 3 CLASSPNP.SYS[8b19e8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8577a028]
15:24:11.488 AVAST engine scan C:\Windows
15:24:24.530 AVAST engine scan C:\Windows\system32
15:24:58.085 File: C:\Windows\system32\jureg.exe **INFECTED** Win32:SMSSend-IG [Trj]
15:26:44.649 AVAST engine scan C:\Windows\system32\drivers
15:26:55.943 AVAST engine scan C:\Users\Scott
15:34:19.779 AVAST engine scan C:\ProgramData
15:36:00.056 Scan finished successfully
15:37:57.508 Disk 0 MBR has been saved successfully to "C:\Users\Scott\Desktop\MBR.dat"
15:37:57.524 The log file has been saved successfully to "C:\Users\Scott\Desktop\aswMBR.txt"


I figured since it detected the trojan I would post this before I tried the fix for IE9. Not quite awake just yet, need more coffee.

4

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,233 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:27 AM

Posted 01 July 2012 - 07:04 AM

The may may be infected but could also for Java.

http://www.processlibrary.com/directory/files/jureg/430503/
Process name: Java™ Update RegisterTask
Application using this process: Java™ Platform SE 6 U2
Process author: Sun Microsystems, Inc.
===

>>> Run Jotti's malware scan: Please copy this line (in bold):
C:\Windows\system32\jureg.exe
  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

p.s.
you also have a reference in the registry.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 09:56 54936 ----a-w- c:\windows\System32\jureg.exe


It dated 2007, will have to remove that also if found to be bad.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users